Roman Danyliw has entered the following ballot position for draft-ietf-ace-key-groupcomm-17: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-ace-key-groupcomm/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- ** Section 1.1. Per the definition of “Group name” and GROUPNAME. The latter is defined as a “text string used in a URIs”. The former has no definition beyond saying it is an identifier. Is it not a text string? ** Section 1.1. * Individual keying material: information exclusively pertaining to a group member, as associated with its group membership and related to other keying material and parameters used in the group. For example, this can be a member identifier that is unique within the group. -- unlike group and node identifier, member identifier is not defined -- how is a member identifier an example of “keying material”? Is it an identifier for a key? ** Section 2. Per the comment “Defined in the ACE framework” in Figure 2, which framework is this text referencing? This document? RFC9200? ** Section 3.1. Editorial * 'scope', specifying the name of the groups that the Client requests to access, Should this be “name_s_ of the groups ...”? Otherwise, it reads as if there is a single name for a collection of groups. ** Section 3.1 * 'audience', with an identifier of the KDC. The definition of audience from Section 5.8.1 of RFC9200 points to RFC8693 (OAuth’s definition of audience). It says: ==[ snip ]== The logical name of the target service where the client intends to use the requested security token. This serves a purpose similar to the resource parameter but with the client providing a logical name for the target service. Interpretation of the name requires that the value be something that both the client and the authorization server understand. ==[ snip ]== Does the application profile have to specify the semantics of this audience value (just like the scope parameter)? ** Section 5. 2. The node has been found compromised or is suspected so. What triggers this behavior in #2? How does the KDC know about compromise? Can Clients tell it that? Can a Client evict another Client? ** Section 6.2.1. Reading this text as normative guidance seemed odd since the parent section 6.2 stated that the specifics of one-to-many is effectively out of scope and this document only provides high level guidance. ** Section 10. Security considerations are inherited from the ACE framework [RFC9200], and from the specific transport profile of ACE used between the Clients and the KDC, e.g., [RFC9202] and [RFC9203]. And from application profiles too which specify the details of the keys and tokens? ** Section 10 Unless otherwise defined by an application profile of this specification, the KDC SHOULD renew the group keying material upon a group membership change. ... Instead, the KDC might rekey the group after a minimum number of group members have joined or left within a given time interval, or after a maximum amount of time since the last group rekeying was completed, or yet during predictable network inactivity periods. The first sentence seems to be encouraging rekeying but subsequent text points out that this might not be reasonable. Should the initial “SHOULD” text be harmonized with this other more nuanced guidance? ** Typos -- Section 1. Typo. s/recommeded/recommended/ -- Section 2. Typo. s/membrs/members/ -- Section 3.1. Typo. s/ specificaton/specification/ -- Section 3.3.1. Typo. s/acces/access/ -- Section 4. Typo. s/trasferring/transferring/ _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
